Age | Commit message (Collapse) | Author | Files | Lines |
|
We now generate the PAC, and can verifiy both our own PAC and the PAC
from Win2k3.
This commit adds the PAC generation code, spits out the code to get
the information we need from the NETLOGON server back into a auth/
helper function, and adds a number of glue functions.
In the process of building the PAC generation code, some hints in the
Microsoft PAC specification shed light on other parts of the code, and
the updates to samr.idl and netlogon.idl come from those hints.
Also in this commit:
The Heimdal build package has been split up, so as to only link the
KDC with smbd, not the client utils.
To enable the PAC to be veified with gensec_krb5 (which isn't quite
dead yet), the keyblock has been passed back to the calling layer.
Andrew Bartlett
(This used to be commit e2015671c2f7501f832ff402873ffe6e53b89466)
|
|
quite a large change as we had lots of code that assumed that
objectSid was a string in S- format.
metze and simo tried to convince me to use NDR format months ago, but
I didn't listen, so its fair that I have the pain of fixing all the
code now :-)
This builds on the ldb_register_samba_handlers() and ldif handlers
code I did earlier this week. There are still three parts of this
conversion I have not finished:
- the ltdb index records need to use the string form of the objectSid
(to keep the DNs sane). Until that it done I have disabled indexing on
objectSid, which is a big performance hit, but allows us to pass
all our tests while I rejig the indexing system to use a externally
supplied conversion function
- I haven't yet put in place the code that allows client to use the
"S-xxx-yyy" form for objectSid in ldap search expressions. w2k3
supports this, presumably by looking for the "S-" prefix to
determine what type of objectSid form is being used by the client. I
have been working on ways to handle this, but am not happy with
them yet so they aren't part of this patch
- I need to change pidl to generate push functions that take a
"const void *" instead of a "void*" for the data pointer. That will
fix the couple of new warnings this code generates.
Luckily it many places the conversion to NDR formatted records
actually simplified the code, as it means we no longer need as many
calls to dom_sid_parse_talloc(). In some places it got more complex,
but not many.
(This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
|
|
password was entered. We would not use the results of the search in
any case.
Andrew Bartlett
(This used to be commit edeb908acaaaaab13bef4d2e3fae18d87c07af81)
|
|
Old way was ugly and had a bug, you couldn't add an attribute named
dn or distinguishedName and search for it, tdb would change that search in a dn search.
This makes it also possible to search by dn against an ldap server as the old method was
not supported by ldap syntaxes.
sss
(This used to be commit a614466dec2484a0d39bdfae53da822cfcf80926)
|
|
editors, and added a test for it.
(This used to be commit 9e428881f6fc0a422ac9011d847e8f692284397a)
|
|
Fill out the group list for the SamLogon reply, so clients get the
supplementary groups.
Andrew Bartlett
(This used to be commit d9c31e60a72c345e3a23a7eb742906bcfc18721c)
|
|
Just use talloc_free() to release the memory after an ldb_search().
(This used to be commit 4f0948dab0aa5e8b6a4ce486f3668ca8dfae23db)
|
|
(This used to be commit 63dfa9b80649928baf72687381fcfb6dd4d20032)
|
|
- This module will take care of properly filling an user or group object
with required fields. You just need to provide the dn and the objectclass
and a user/group get created
Simo.
(This used to be commit fb9afcaf533a4c32547d1857306e0aece8063953)
|
|
secrets system, and not the old system from Samba3.
This allowed the code from auth_domain to be shared - we now only
lookup the secrets.ldb in lib/credentials.c.
In order to link the resultant binary, samdb_search() has been moved
from deep inside rpc_server into lib/gendb.c, along with the existing
gendb_search_v(). The vast majority of this patch is the simple
rename that followed,
(Depending on the whole SAMDB for just this function seemed pointless,
and brought in futher dependencies, such as smbencrypt.c).
Andrew Bartlett
(This used to be commit e13c671619bd290a8b3cae8555cb281a9a185ee0)
|
|
Andrew Bartlett
(This used to be commit 7822101cb5213f192f3195648970784a9de4fac4)
|
|
the SAMR server.
Andrew Bartlett
(This used to be commit fd748f9d2f8f354f76587d92b94de83bffe1c6dc)
|
|
when linking though.
(This used to be commit 2e1e8db6dc877eb32b51cfc3d9c8f463d14530ec)
|
|
(This used to be commit 6749b9404d4e9876ecd964e038c608f05d2c0b69)
|
|
(This used to be commit 196c45b834c39f293b9533cec5cfe5a77382d4e2)
|
|
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
|
|
(This used to be commit 7607ddda3f221bd5a68d28c0eae297569fbb58b1)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
discussion on samba-technical about this.
(This used to be commit e9dff03f79db00636e2b6d93a22e40a3cefed876)
|
|
the w2k3 dc join needs that
metze
(This used to be commit 29bc75ba28f8c73fe22878948ed43c41faee474c)
|
|
netr_ServerPasswordSet and netr_ServerPasswordSet2
so we do now
I also add a torture test for this
metze
(This used to be commit d896ac603a5cf387a10b21e64e2c92ff2626bc4d)
|
|
Add my copyright to the SAMR server.
Andrew Bartlett
(This used to be commit 51e94fa26cc602ddca652776c213cd7096f9703a)
|
|
- Use templates for Secrets and the new trusted domains
- Auto-add modifiedTime, createdTime and objectGUID to records in the
samdb layer.
Andrew Bartlett
(This used to be commit 271c8faadfe2d9e0f3d523a1cdc831f5f9e35d19)
|
|
Avoid a strdup, use a talloc_reference
Use the shortest term memory context possible
Andrew Bartlett
(This used to be commit 5569db0f94807b7e2418630fbdca03be9c65e838)
|
|
- move some structs out of misc.idl
metze
(This used to be commit b6543a6e3057b5588ec50a2ebf6c7c932209efe6)
|
|
one pipe
this stage does the following:
- simplifies the dcerpc_handle handling, and all the callers of it
- split out the context_id depenent state into a linked list of established contexts
- fixed some talloc handling in several rpc servers that i noticed while doing the above
(This used to be commit fde042b3fc609c94e2c7eedcdd72ecdf489cf63b)
|
|
must zero r.out before making the 2nd call if the 2nd call has any
non-ref out parameters. This is needed for the case where the 2nd call
fails, and the 1st call would then fill in its out fields based on
uninitialised memory.
(This used to be commit 202470326dcfaa5d36aaaf6be47eec40fed50402)
|
|
(This used to be commit d79cc8b901ef273547bab2f66355e075da61ce9b)
|
|
important
change was in the ldb_msg_add_*() routines, which now use the msg as a context,
and thus it needs to be a talloc ptr)
(This used to be commit 1a4713bfd0e519f3eb7b3241121ff914a6eeef18)
|
|
Volker
(This used to be commit 04cf580ef30ac38f3f312184a7b18551195a17ce)
|
|
delete a user
with usrmgr.exe.
To fix: Remove domain group membership attrib values when a user is deleted.
Volker
(This used to be commit 83d180c732ba73cf50072ef73ccdd60e72bc9910)
|
|
* Implement samr_search_domain, filter out all elements with no "objectSid"
attribute and all objects outside a specified domain sid.
* Minor cleanups in dcerpc_samr.c due to that.
* Implement srvsvc_NetSrvGetInfo level 100. A quick hack to get usrmgr.exe
one step further.
* Same for samr_info_DomInfo1.
Volker
(This used to be commit cdec89611355fb75d253ecf5b658d0e23de8e440)
|
|
these two,
usrmgr.exe seems to become usable. Some quirks, but it's worth a try.
Volker
(This used to be commit 9c62a239cd609092654ad653972153a3a71e7279)
|
|
(This used to be commit ae3c329e9d718cdc011f8f291ccc68abad6b9cc7)
|
|
(This used to be commit 9e27a83ac3b1470ba52df01743d9a64fcbecc64b)
|
|
(Do we
have to sort the entries?)
Volker
(This used to be commit 26d21bb5cc26964f2d790aa83149ba399ac50db2)
|
|
Hmmm. How do I tell ldb not to descend into cn=Builtin?
Volker
(This used to be commit c95d20cd7c18fbfb5e6e9a5efac07354117610c5)
|
|
samr_GetMembersInAlias.
Volker
(This used to be commit 78802720ae922cf8ad19bf2e8be23a64435c4673)
|
|
Fix IDL
for samr_SetAliasInfo.
Volker
(This used to be commit d70e2371903fb21e24ab2e23d04ee4b0b2ef55e5)
|
|
(This used to be commit b8fa5b9419c6397a4266bfdce3a31b1e016d7faa)
|
|
(This used to be commit 1bab3254f6a27144c6f76edf66573f7fa25b3173)
|
|
samr_QueryGroupMember.
Volker
(This used to be commit 43581c3711d2eeb901094acebea294a3b87d4c0b)
|
|
(This used to be commit 79ec28ade826c6a36e129abbe1e0a207074c676f)
|
|
enough stuff to do in 3_0??? ;-)
Volker
(This used to be commit c0fa7a92d9f602dc50801a9827e121c2b095a336)
|
|
Volker
(This used to be commit 8f2b9c9d320dbea197808081528477d7e4c816d1)
|
|
computer accounts
metze
(This used to be commit f75c2004a0fc889ce5d96790f7d1d5031bce3992)
|
|
the idea is to have a directory service db layer
which will be used by the ldap server, samr server, drsuapi server
authentification...
I plan to make different implementations of this interface possible
- current default will be the current samdb code with sam.ldb
- a compat implementation for samba3 (if someone wants to write one)
- a new dsdb implementation which:
- understands naming contexts (directory parrtitions)
- do schema and acl checking checking
- maintain objectGUID, timestamps and USN number,
maybe linked attributes ('member' and 'memberOf' attributes)
- store metadata on a attribute=value combination...
metze
(This used to be commit 893a8b8bca2f020fbbe6f469aaa8dd4478249eb8)
|
|
lm hash from the samdb, and thus not checking the verifier)
fixed the client side to calculate the lm verifier based on the nt
hash, not the lm hash (confirmed using w2k3)
(This used to be commit 27e7fb3bafe4649359e2e68169b6f10fd4d2cc70)
|
|
hash, not the lm hash
(This used to be commit 8d4f0dc7d0745fc86fd43205b21d846acdc1d8c7)
|
|
password change code.
(This used to be commit f70e8f02d6164046781a5d63fa5c0b86b8ab8df9)
|